Tracking Darkports for Network Defense

David Whyte, Paul C. van Oorschot, Evangelos Kranakis
2007 Proceedings of the Computer Security Applications Conference  
We exploit for defensive purposes the concept of darkports -the unused ports on active systems. We are particularly interested in such ports which transition to become active (i.e., become trans-darkports). Darkports are identified by passively observing and characterizing the connectivity behavior of internal hosts in a network as they respond to both legitimate connection attempts and scanning attempts. Darkports can be used to detect sophisticated scanning activity, enable fine-grained
more » ... ted defense against automated malware attacks, and detect real-time changes in a network that may indicate a successful compromise. We show, in a direct comparison with Snort, that darkports offer a better scanning detection capability with fewer false positives and negatives. Our results also show that the network awareness gained by the use of darkports enables active response options to be safely focused exclusively on those systems that directly threaten the network. Finally, our evaluation of darkports using three different network datasets illustrates that they are scalable and offer the ability to rapidly characterize and group hosts in a network into different exposure profiles that can be used to detect successful compromises or unauthorized network activity. service offerings from a host; these may indicate a successful compromise (e.g. a darkport suddenly starts to respond to a connection request). We propose a number of applications of exposure maps, and discuss our results and experiences of using exposure maps and darkports in three different network environments that range in size from less than a hundred to hundreds of thousands of users: (1) a lab network with a well-defined security policy and small user population, (2) a university network with a medium-sized user population (i.e. a thousand users), and (3) a backbone network. Our experiments are designed to explore the different applications of exposure maps. First, we validate a preliminary assertion from our position paper [35] that exposure maps are very effective at detecting both simple and sophisticated TCP scanning activity directed at an enterprise network. In a direct comparison, our scanning detection capability was significantly better than the well-known Snort [28] . Exposure maps exhibited both lower false negative and positive rates during our evaluation, and provided the ability to detect additional sophisticated scanning activity directed at the network. Secondly, we show that the identification of darkports during the construction of the exposure maps provides network-centric knowledge enabling fine-grained automated responses, e.g. to identify and deny specific systems network access when they are found to be performing scanning activity and thereafter trying to access a legitimate service on a host in the network (common behavior for autorooters and worms [23] ). This introduces the ability of selective automated response: a focused real-time active response option that limits the introduction of new access control rules to deny those scanning systems directly threatening network assets (i.e. those targeting actual services offered by the network). We emphasize the subtle point, that systems that scan for services not offered by the network are simply identified (i.e. scan attempt recorded) but otherwise ignored (e.g. no access control rule introduced to block the associated source IP address). This ability to initiate selective automated response reduces network configuration changes, complexity errors (e.g. by avoiding a dramatic increase in router/firewall rules, and possibly leading to a self-imposed denial of service), and avoids unnecessary performance degradation of network security devices [4, 38] . Thirdly, we illustrate how exposure maps may be used on both enterprise and backbone networks to logically classify systems into exposure profiles that identify and group systems according to the services they offer. We discuss the practical application of exposure profiles and how they can be used to identify malicious network activity (e.g. botnets and worm outbreaks). The technique requires very little computational overhead and easily scales to large enterprise environments or even backbone networks (see Section 6). Exposure maps and darkports differ from current scanning detection techniques as they rely on identifying the services offered by the network instead of tracking external connection events. The result is a scanning detection technique in which the utilized system detection state does not grow in proportion to the amount and fluctuation of external network traffic, but rather increases only with the number of services offered by the network, regardless of the size of the network and the external network activity. This obviates the need for shrinking time windows or timeouts to accommodate increases or bursts in network traffic, allowing scan detection with a footprint of a single packet or a frequency of hours or days between probes. As an added benefit, maintaining information about internal hosts in the network instead of external host activity provides the necessary network-awareness to answer in real-time questions that should be asked after a scan is detected, such as "What information has been revealed as a result of the scan?", and "Has the network behavior changed?" The remainder of this paper is organized as follows. Section 2 refines the basic idea of exposure maps and darkports. Section 3 discusses how exposure maps can be used for a variety of security applications. Section 4 describes our implementation, and the evaluation datasets and methodology. Section 5 presents our evaluation results, including a comparison to Snort, and discussion of advanced scanning heuristics. Section 6 discusses the scalability and stability of exposure maps, including resilience to attacks. Section 7 presents further discussion and limitations. Section 8 reviews related work. We conclude in Section 9. Appendix A contains supporting data and analysis of a distributed scan.
doi:10.1109/acsac.2007.4412986 fatcat:5cftdbioxjb7vl3ehf6exh5pym